Metr0pl3x on Nostr: Fairphone devices don't meet our security requirements. They receive the Android ...
Fairphone devices don't meet our security requirements. They receive the Android Security Bulletin patches late, are missing recommended security patches, don't have a secure element with the required features, have insecure/broken verified boot and attestation and other issues.
It's very misleading for them to say that the device will have 6 years of support when for half of the lifetime it won't have full security patches. Pretending it has verified boot when it's known to be completely broken/insecure is also a pretty big issue, and that's a pattern.
One major example of how not having the hardware security features we expect impacts users is that disk encryption doesn't really work for most users without a secure element providing Weaver. With Weaver, a random 6 digit PIN is highly secure. Without Weaver, it's near useless.
Without hardware support, an attacker can do as many attempts as they want regardless of what's enforced by software. Software-enforced attempt limit doesn't really work. Weaver is hardware-enforced throttling by a secure element. It's what makes a random 6 digit PIN secure.
To summarise, they ship the mandatory ASB patches 1-2 months late each month, their SoC is configured insecurely and their verified boot implementation is broken. It's missing years of recommended security patches for vendor code. It doesn't have the expected hardware security features either.
It's very misleading for them to say that the device will have 6 years of support when for half of the lifetime it won't have full security patches. Pretending it has verified boot when it's known to be completely broken/insecure is also a pretty big issue, and that's a pattern.
One major example of how not having the hardware security features we expect impacts users is that disk encryption doesn't really work for most users without a secure element providing Weaver. With Weaver, a random 6 digit PIN is highly secure. Without Weaver, it's near useless.
Without hardware support, an attacker can do as many attempts as they want regardless of what's enforced by software. Software-enforced attempt limit doesn't really work. Weaver is hardware-enforced throttling by a secure element. It's what makes a random 6 digit PIN secure.
To summarise, they ship the mandatory ASB patches 1-2 months late each month, their SoC is configured insecurely and their verified boot implementation is broken. It's missing years of recommended security patches for vendor code. It doesn't have the expected hardware security features either.